CVE-2023-27350 CRITICAL

CVE-2023-27350

Vendor Papercut

Product NG

Weakness CWE-284

KEV Status Known Exploited

Ransomware Used in campaigns

Published April 20, 2023

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

April 20, 2023 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-27350 CISA KEV Reference https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2023-27350

Related vulnerabilities

CVE-2023-27350

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE